CVE-2026-34070 is a path traversal vulnerability classified under CWE-22, discovered in the langchain framework, a popular tool for building agents and large language model (LLM)-powered applications. The vulnerability exists in multiple functions within the langchain_core.prompts.loading module, specifically in how they handle file paths embedded in deserialized configuration dictionaries. Prior to version 1.2.22, these functions do not adequately validate or sanitize the file paths, allowing attackers to craft malicious prompt configurations that include directory traversal sequences or absolute paths. When such crafted configurations are passed to load_prompt() or load_prompt_from_config(), the application may read arbitrary files from the host filesystem. Although the vulnerability restricts file reads to certain extensions (.txt for templates, .json and .yaml for examples), this still permits exposure of sensitive information stored in these formats. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The flaw was addressed and patched in langchain version 1.2.22, which implements proper validation to prevent directory traversal and absolute path injection attacks. No known exploits have been reported in the wild as of the publication date. The CVSS v3.1 base score is 7.5, indicating a high severity primarily due to the potential for unauthorized disclosure of confidential information.

The primary impact of CVE-2026-34070 is unauthorized disclosure of sensitive information through arbitrary file reads on systems running vulnerable versions of langchain. Organizations leveraging langchain for LLM applications may inadvertently expose configuration files, credentials, logs, or other sensitive data stored in .txt, .json, or .yaml files. This can lead to data breaches, intellectual property theft, or leakage of internal system details that could facilitate further attacks. Since the vulnerability does not affect integrity or availability, the direct impact is limited to confidentiality. However, the ease of exploitation without authentication or user interaction means attackers can remotely probe and extract data at scale. Enterprises in sectors such as technology, finance, healthcare, and government using langchain in production environments face elevated risk. Additionally, attackers could use the disclosed information to escalate privileges or pivot within networks, amplifying the threat. The lack of known exploits in the wild currently limits immediate widespread impact, but the vulnerability’s presence in a widely adopted AI framework underscores the need for prompt remediation.

To mitigate CVE-2026-34070, organizations should immediately upgrade langchain to version 1.2.22 or later, where the vulnerability is patched. For environments where immediate upgrade is not feasible, implement strict input validation and sanitization on any user-supplied prompt configurations before passing them to load_prompt() or load_prompt_from_config(). Employ application-layer controls to restrict file system access and enforce least privilege principles for the application runtime user. Monitor logs for suspicious file access patterns indicative of directory traversal attempts. Consider deploying runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block path traversal payloads targeting langchain endpoints. Conduct thorough code reviews and security testing of any custom integrations with langchain to ensure no insecure deserialization or unsafe file handling occurs. Finally, maintain an inventory of all systems running langchain to ensure timely patch management and vulnerability scanning.